vCSA and trusted AD sources

01/04/2018

Just a quick write up for my own convenience. Large organizations tend to have a lot of everything, from buildings and employees to Domain Controllers.
In times were Domain Controllers undergo maintenance, like an upgrade or relocation, dependent services may be impacted.
The way identity sources are configured differs per product, fortunately less often hard-coded by specifying a single domain controller, usually more flexible by specifying the AD domain.

For a vCenter Server Appliance (vCSA), additional identity sources can be configured, one commonly used is the Active Directory (Integrated Windows Authentication).

20180401-01.jpg

BTW, As a prerequisite, the vCSA should be joined to the Windows domain.

If you are curious which domain controllers are actually in use by the vCSA, do the following:

Open a SSH session to the vCSA.

Switch to the Bash shell, see this post for more information.

cd to /var/lib/likewise.

and read the content of file krb5-affinity.conf using the cat command.

Depending on your configuration it should look something like this:

20180401-02.jpg

Per Windows domain, the IP addresses of all connected domain controllers are shown. From here, you can lookup the names of the DC’s.

If your environment is configured with one or more external platform Services Controller(s), you must log on to a PSC instead of the vCSA!

VMware does not provide much information regarding the selection process. In “FAQ: VMware Platform Services Controller in vSphere 6.0 (2113115)”, I found this quote:

“When using the Active Directory (Integrated Windows Authentication) identity source, pair the PSC as close to the local Active Directory Domain Controller(s) (DC) as possible, with minimal hop count to reach them. The PSC, both Windows-based and Appliance-based, have improved logic to allow for SAML token creation, requests as well as User and Group querying that will leverage the nearest DC within the environment to provide the best performance for log-in. additionally, depending on the complexity of your Active Directory environment, there are known limitations.”

As always, I thank you for reading.


Running unmap on a large number of datastores

08/03/2018

With the VMFS-6 filesystem came the option to automatically unmap datastores. In short, the unmap command is used to reclaim unused storage blocks on a VMFS datastore when thin provisioning is used.

When Datastores are still on VMFS-5, reclaiming disk space is a manual process. VMware KB “Using the esxcli storage vmfs unmap command to reclaim VMFS deleted blocks on thin-provisioned LUNs (2057513)” details how to use the unmap command.

The action is performed on an ESXi hosts, the basic command looks like this:

# esxcli storage vmfs unmap -l <Volume label>

Where Volume label is the human readable name of a Datastore like: “VMFS01”.

Depending on the size of the datastore(s), running unmap will take quite some time. If you have few datastores, you run this command a couple of times and voila. If cluster(s) have dozens of datastores, the following workaround can help you.

Read the rest of this entry »


vCSA, root partition is (almost) full

18/02/2018

hwA short post on a topic that I recently experienced on vCenter Server Appliance, version 6.0.
After receiving an alert that the root “/” partition was quickly filling up, it is time to act quickly. When the root partition reaches 100% of it’s capacity, service disruption can occur.
First step is to check the capacity of the vCSA partitions. Log in to the vCSA through SSH, if you are running the appliance shell, enable and access the Bash shell:

Command> shell.set --enabled true
Command> shell

In the Bash shell run this command to check the capacity of the partitions:

# df -h

The second line of the output (starting with /dev/sda3) shows the status of the root partition. If the value under Use% reaches 100%, you are in trouble. Also notice that the root partition is only 11 GB.
Second step is to determine the root cause of the full partition. A good strategy is to look for large consumers. The next command searches for files larger then 100 MB, only on the root partition:

# find / -xdev -type f -size +100M

In my case some interesting results:

/usr/lib/vmware-sca/wrapper/bin/wrapper.log
/usr/lib/oracle/11.2/client64/lib/libociei.so
/var/log/dnsmasq.log-20180121
/var/log/dnsmasq.log-20180128
/var/log/dnsmasq.log-20180107
/var/log/dnsmasq.log-20180114
/var/log/dnsmasq.log
/etc/vmware-vpx/docRoot/client/Vmware-viclient.exe

The most eye-catching files are: the wrapper.log and the dnsmasq.log files.

Read the rest of this entry »


Getting started with the vCSA 6.x – Part 3

22/01/2018

In part 1 and part 2 of this series about the vCSA, we have covered topics like; the shells, filesystem, services, health, logging, database and some extra tools. Recently I realised there a few more topics worth mentioning.

Appliance MUI

In pre 6.0 releases of the vCSA, there was a vCenter Server Appliance Management Interface, better known as the VAMI. This management interface is written in HTML5 and is now called the e Appliance Management User Interface (Appliance MUI).

You will find the new management interface in vCSA 6.0 and 6.5, however there are some differences.

You can login to this interface, using: https://<vCSA fqdn or IP>:5480. Us a local account such as the “root” account.

Fig. 1 – Summary vCSA 6.0.

Read the rest of this entry »


Writing effective scripts using VMware PowerCLI

30/12/2017

20171224-00Lately I have been busy writing some Windows PowerShell scripts for a vSphere environment. I noticed that there are some similarities between learning a spoken language and a programming language. In both cases you start by learning the grammar and vocabulary and develop your skills by a lot of practicing. But for both skills, when you have not used them for a while, the skills will fade.
While writing and testing my scripts, I realized that a good preparation and a structured way of working will help you becoming more productive and making fewer mistakes.
This post is not a full blown Windows PowerShell course, but contains some insights I would like to share with you. If this is all new, I recommend following a PowerShell Getting Started training. Pluralsight offers over 11 Windows PowerShell courses from beginner to expert level. So if you are relatively new to Windows PowerShell and the VMware PowerCLI, please read on.

Read the rest of this entry »


About Long Fat Networks and TCP tuning

08/09/2017

Recently I came about a data communications subject that was pretty unknown to me, known as the Bandwidth-delay product. Knowledge about this can help you to recognize certain network issues and ways to resolve them. It is all about two Linux hosts, a source and a destination host, communicating with each other over a high capacity network link. The question is how can you, given this scenario, reach maximum throughput over the network?

BDP

The first step is to determine the Bandwidth-delay product for this network. Bandwidth-delay product (BDP) is defined as the product of a data link’s capacity (in bits per second) and its round-trip delay time (in seconds). The result, the amount of data (in bits or bytes), is the maximum amount of data on the network at any given time, that is data that has been transmitted but not yet acknowledged.
Why is this important? The TCP protocol is designed for reliable transmission of data, acknowledgements are an essential part of the protocol. A high BDP value has impact on the efficiency of TCP, because the protocol can only achieve optimum throughput if a sender sends a sufficiently large quantity of data before being required to stop and wait until a confirming message (acknowledgement) is received from the receiver, acknowledging successful receipt of that data.

Read the rest of this entry »


Getting started with the vCSA 6.x – Part 2

30/07/2017

In the previous post we started to unravel the vCSA and discussed topics like the Appliance shell, the file system and the services. In this post we will continue with the vCSA Health.

Health

Knowing the health of your system is important. Like the Windows vCenter Server, the vCSA is also able to report its health. Most common is using the vSphere Web Client and from the main menu, choose: System Configuration and watch the “Service Health” pane. Detailed information can be found by clicking on the various Services.

Figure 1

However, from the Appliance shell, the following API command will also inform you”

Command> system.health.get

If everything is OK, it will report; Health: green

In the Bash shell, you can browse to the folder: /etc/vmware-sca/health/.
On a vCSA 6.0, you will find two files with health status information:

vmware-vpxd-health-status.xml
vmware-postgres-health-status.xml

On a vCSA 6.5, you will only find the first file.

Read the rest of this entry »